[Samba] How to configure winbind to work with two domain controllers?

Gaiseric Vandal gaiseric.vandal at gmail.com
Wed Aug 11 10:10:20 MDT 2010


You linux server need to be in one domain only.  On the windows domain 
controllers, you can establish trusts between the domains.

On your linux server you may need to specify separate idmap parameters 
for each domain.   Based on "man idmap_ad" it might look something like


...
idmap domains = Domain1 Domain2
...
idmap config Domain1 : backend  = ad
idmap config Domain1 : range = 10001-20000
...
idmap config Domain2 : backend  = ad
idmap config Domain2 : range = 20001-30000
...










On 08/11/2010 10:36 AM, Sergey Stepanov wrote:
> Hello
>
> I have two domain controllers on win2k3 (say srv1.domain1 and 
> srv2.domain2) and winbind runnning on 3rd linux server (
>
> When I put "workgroup = domain1" in smb.conf, i can  work with domain1 
> only, i.e.
> # ntlm_auth --username=dom1user --domain=domain1 --password=goodpassword
> NT_STATUS_OK: Success (0x0)
> but with domain2 fails:
> # ntlm_auth --username=dom2user --domain=domain2 --password=goodpassword
> NT_STATUS_NO_SUCH_USER: No such user (0xc0000064)
>
> When i change workgroup to "workgroup = domain2", the things changed:
> domain1 fails:
> # ntlm_auth --username=dom1user --domain=domain1 --password=goodpassword
> NT_STATUS_NO_SUCH_USER: No such user (0xc0000064)
> domain2 is ok:
> # ntlm_auth --username=dom2user --domain=domain2 --password=goodpassword
> NT_STATUS_OK: Success (0x0)
>
> Please, help, how to tell winbind to work with both domain controllers.
>
> winbind and ntlm_auth built from RHEL/CENTOS 5.5 srpm:
> # /usr/bin/ntlm_auth -V   Version 3.0.33-3.28
> /usr/sbin/winbindd -V
> Version 3.0.33-3.28
>
> kerberos is not used.
>
> sample smb.conf:
> [global]
>    winbind separator = +
>    winbind use default domain = no
>    winbind enum users = no
>    winbind enum groups = no
>    winbind use default domain = no
>    security = domain
>    encrypt passwords = yes      wins support = no
>    enhanced browsing = no
>    domain master = no
>    domain logons = no
>    local master = no
>    preferred master = no
>    name resolve order = lmhosts
>    auth methods = winbind
>    workgroup = domain1 # or domain2
>    netbios name = SERVER
>    password server = ip1 ip2 * # or without *
>



More information about the samba mailing list